Changelog
Back to all posts

Support Vrbo Accounts with Enforced 2FA During Authentication

IGMS consistantly has issues syncing with VRBO (Legacy API).

Summary

IGMS currently cannot connect to Vrbo accounts that have mandatory two-factor authentication (2FA) enabled. Because Vrbo increasingly enforces 2FA at the account level (and does not allow some users to disable it), this prevents pricing, messaging, and calendar sync for affected hosts and can lead to repeated HomeAway account lockouts.

This is not a credentials issue, but an authentication flow limitation.

Problem Description

When a Vrbo account has enforced 2FA enabled:

  • Direct login via the Vrbo website and mobile app works normally

  • Third-party authentication attempts via IGMS fail

  • IGMS appears to retry authentication multiple times without completing the 2FA challenge

  • Vrbo interprets these repeated attempts as failed logins

  • The account is temporarily locked at the HomeAway/Vrbo security level

This creates a loop where:

  • Credentials are correct

  • The Vrbo account is active and listings are live

  • IGMS cannot authenticate

  • The user is repeatedly locked out

Because users cannot always disable 2FA on Vrbo, this effectively blocks IGMS ↔ Vrbo integration for a growing number of hosts.

Why This Matters

Vrbo is increasingly enforcing stronger account security, including mandatory 2FA. PMS platforms that rely on legacy username/password authentication without interactive 2FA handling will continue to encounter:

  • failed connections

  • account lockouts

  • increased support load

  • user churn to PMS platforms with OAuth-based integrations

This is a platform-level compatibility issue, not a user configuration problem.

Proposed Solution

When authenticating with Vrbo:

  1. IGMS should attempt authentication once

  2. If Vrbo responds indicating that 2FA is required:

    • Prompt the user to select a 2FA delivery method (e.g., SMS)

    • Trigger the 2FA challenge via Vrbo

  3. Provide a secure input field in IGMS for the user to enter the received 2FA code

  4. Pass the 2FA code back to the Vrbo API to complete authentication

  5. Store the resulting authorization/token for ongoing sync

This mirrors how interactive authentication is handled successfully in modern OAuth-style integrations and would prevent repeated failed login attempts and account lockouts.

Alternative / Longer-Term Improvement

Migrate fully to Vrbo’s newer OAuth / partner-based authentication model, which removes the need for password + 2FA handling entirely and avoids this class of issue going forward.

Expected Outcome

  • Successful Vrbo connections for accounts with enforced 2FA

  • No repeated authentication retries

  • No Vrbo/HomeAway account lockouts

  • Reduced support burden for both IGMS and Vrbo

  • Improved reliability and trust in IGMS’s Vrbo integration

Closing

This issue is likely to impact more users over time as Vrbo continues to strengthen account security. Supporting interactive 2FA (or migrating fully to OAuth) would make IGMS’s Vrbo integration significantly more robust and future-proof.

Thank you for considering this request.

Please authenticate to join the conversation.

Upvoters
Status

In Review

Board

💡 Feature Request

Tags

Channels

Date

About 1 month ago

Author

David Lewis

Subscribe to post

Get notified by email when there are changes.